Security and compliance go hand in hand when cloud computing is involved. As cloud consumers, enterprises are responsible for defining security policies, authorizing end-user use and understanding cloud compliance requirements. But all that responsibility doesn't fall solely on enterprise IT.
One way to ensure data security is through cloud security certifications. Third-party entities that are trusted by both cloud consumers and cloud providers review security practices of those providers and grant certifications if they meet certain standards.
Some certifications are designed to address the requirements of a broad range of users, such as Service Organization Controls 1 (SOC 1) and International Organization for Standardization 27001 (ISO 27001) certifications. Other certifications narrowly target particular types of end users, such as Payment Card Industry Data Security Standard (PCI DSS), which applies to businesses using payment cards and the Federal Information Security Management Act (FISMA), which addresses the needs of U.S. government federal agencies. Because these standards include general best practices, you may benefit from a cloud provider that meets these standards -- even if your business does not use payment cards or doesn't need to comply with FISMA.
Checks and balances: Cloud service provider security certifications
Cloud providers offer a wide range of services, but the quality of those services isn't immediately known. How do you know if the actual implementation of those services corresponds to what the cloud provider claims?
The SOC 1 report helps to address these concerns. This report covers the presentation of services from a cloud computing service provider, the design of systems for implementing those services and the effectiveness of operational controls for maintaining those services. The American Institute of CPAs has detailed documentation on SOC 1 and related reports, including information on the SSAE 16 report -- an auditor-to-auditor report about compliance.
The ISO 27001 standard is a comprehensive standard designed to help organizations plan, implement and maintain the security of information systems. This is a process-oriented standard with an emphasis on managing activities for maintaining a secure environment. The operations include identifying security requirements, assessing risks, implementing security controls and monitoring the effectiveness of those controls. To achieve ISO 27001 certification, a cloud service provider must have a systematic approach to risk assessment and information management.
Poor in-house security practices can undermine the benefits of sound cloud security practices of an established cloud service provider.
PCI DSS is designed to protect credit card and debit card information, but many of the measures are general best practices. For example, PCI DSS requires the use of firewalls, data encryption during transmission, the use of anti-malware and strong access controls, as well as network operations monitoring. Even if your enterprise does perform payment card transactions in the cloud environment, PCI DSS is good way to ensure your cloud provider has taken these security steps.
The U.S. Nation Institute of Standards and Technology (NIST) has defined a set of recommended security controls for federal information systems, commonly known as the 800-53 Revision 3 standard. This standard is the basis for assessing compliance with FISMA. NIST 800-53 Revision 3 includes features similar to the ISO 27001 standard, such as attention to risk management procedures, establishing baseline controls and monitoring ongoing operations. FISMA also requires third-party audits of the information management systems. For more on NIST 800-53, see the official documentation.
Cloud security certifications such as these are not only helpful, they're often required when working with cloud providers. Certifications attest to the state of security practices within a cloud provider and can help enterprises meet compliance reporting requirements. In some cases, such as with federal agencies, at least one of these certifications may be required before you can do business with a cloud service provider.
It's important to understand that certifications do not alleviate your responsibilities as a cloud consumer. Poor in-house security practices can undermine the benefits of sound cloud security practices of an established cloud service provider. For example, if you do not have a data-classification scheme in place and you have weak internal controls over authorizations to access and manipulate data, your data may be at risk even if it's stored with a cloud provider that holds a number of certifications.
Using a provider that adheres to specific cloud certifications can help enterprises meet some compliance requirements in the cloud. And sharing this burden with a cloud provider means enterprises have more time to address other internal security requirements.
About the author
Dan Sullivan, M.Sc., is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.
This was first published in January 2013